Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2652743ybl; Mon, 19 Aug 2019 05:36:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqxteKbXKQYxW1xLEZV6Sv8nGN7jaZLGCzQcAMNbPDDEeQ8+3+oiN0BhvYTbijthaA3eXGlI X-Received: by 2002:a17:902:6b81:: with SMTP id p1mr22117248plk.91.1566218200641; Mon, 19 Aug 2019 05:36:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566218200; cv=none; d=google.com; s=arc-20160816; b=UEYdtOGHNNv9Q4mO+M3k7Hs+cIDGqr0AWvbgxYNtx7cE5Pqqe7rNAU84soKEB4qz/4 TRwKpipL6gxZW+1VYElxpbCNlszbnKFp4SeDizKyZjesbtb3Umy2jQk4gGnSFUaelGe3 HSM0oQQjjsKMFP/HyCZF+FJb0auCf3Q0xyvOYewuVAEGJBFs370hkiSx2WiRqi51f5pM uy2j3eIadvZcluRcikXvtaLy6YLHRGtmcN4UqSFh81xQcmfCbhLsShvs7Xan7V8OPZ00 ccin3+GgI5Knr4PFejCrDDVPif1J7wF297e6QrxP6aeTq2P1Hg1QcGQ4h36lMmRcC4kx q6CQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=cw2MIw2JZCQ9eXr03pTH8yvcpPNa7yCNbFD2cgkj/Sw=; b=B4AgkL7g36ZpNektxQUXQxNY2+6w5KLmraQuayZvK4vU0MAEVkb6s4vrvlP1ZJNifQ MjYPUJIzbsVKkbLd52fJRr/9TFqKsOeIDJDhBwIia91IxuYxwlHRunt/1KCluMRqPrII VLIhh3NcB1belvJI7WvrfbosZ6d26F2CZXFRSioKvAzqrIiRmhU5Mawd3xIn5EdXTCtn AteMAiVb4oHZfeh1X83adAPL0PqOqB9lVeuxJa7nOGwO7uluFjCTRrK5y6phRelgH4FR 8n68WwW+ius1WU311ARzsIi4uuEU3zMJAK/x0KaVq+hf+rQiyOieoo7JD7ENb5bALSVg zTZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si9672595pgr.237.2019.08.19.05.36.25; Mon, 19 Aug 2019 05:36:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727562AbfHSMfe (ORCPT + 99 others); Mon, 19 Aug 2019 08:35:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:32216 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727477AbfHSMfe (ORCPT ); Mon, 19 Aug 2019 08:35:34 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7JCXWcE113309 for ; Mon, 19 Aug 2019 08:35:33 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ufsp0nre3-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Aug 2019 08:35:32 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 19 Aug 2019 13:35:30 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 19 Aug 2019 13:35:27 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x7JCZQoF61341756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Aug 2019 12:35:26 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1759011C054; Mon, 19 Aug 2019 12:35:26 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C62AE11C04C; Mon, 19 Aug 2019 12:35:23 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.80.231.242]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 19 Aug 2019 12:35:23 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Ellerman , Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Elaine Palmer , George Wilson , Eric Ricther , Nayna Jain Subject: [PATCH v5 2/2] powerpc: Add support to initialize ima policy rules Date: Mon, 19 Aug 2019 08:35:08 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19081912-0008-0000-0000-0000030AB4FA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19081912-0009-0000-0000-00004A28D845 Message-Id: <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-19_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908190142 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org POWER secure boot relies on the kernel IMA security subsystem to perform the OS kernel image signature verification. Since each secure boot mode has different IMA policy requirements, dynamic definition of the policy rules based on the runtime secure boot mode of the system is required. On systems that support secure boot, but have it disabled, only measurement policy rules of the kernel image and modules are defined. This patch defines the arch-specific implementation to retrieve the secure boot mode of the system and accordingly configures the IMA policy rules. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 2 ++ arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/ima_arch.c | 50 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 +- 4 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index c902a39124dc..42109682b727 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -917,6 +917,8 @@ config PPC_SECURE_BOOT bool default n depends on PPC64 + depends on IMA + depends on IMA_ARCH_POLICY help Linux on POWER with firmware secure boot enabled needs to define security policies to extend secure boot to the OS.This config diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index d310ebb4e526..520b1c814197 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -157,7 +157,7 @@ endif obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o -obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o ima_arch.o # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..ac90fac83338 --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * ima_arch.c + * - initialize ima policies for PowerPC Secure Boot + */ + +#include +#include + +bool arch_ima_get_secureboot(void) +{ + return get_powerpc_secureboot(); +} + +/* + * File signature verification is not needed, include only measurements + */ +static const char *const default_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + NULL +}; + +/* Both file signature verification and measurements are needed */ +static const char *const sb_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#if IS_ENABLED(CONFIG_MODULE_SIG) + "measure func=MODULE_CHECK", +#else + "measure func=MODULE_CHECK template=ima-modsig", + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + +/* + * On PowerPC, file measurements are to be added to the IMA measurement list + * irrespective of the secure boot state of the system. Signature verification + * is conditionally enabled based on the secure boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) + return sb_arch_rules; + return default_arch_rules; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..10af09b5b478 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else -- 2.20.1